Security awareness for dummies

Security awareness for dummies

Make security a priority on your team Every organization needs a strong security program. One recent study estimated that a hacker attack occurs somewhere every 37 seconds. Since security programs are only as effective as a team's willingness to follow their rules and protocols, it's incre...

Descripción completa

Detalles Bibliográficos
Otros Autores: Winkler, Ira, author (author), Morris, Tristan, author
Formato: Libro electrónico
Idioma:Inglés
Publicado: Hoboken, NJ : Findaway World 2022.
Edición:[First edition]
Colección:--For dummies.
Materias:
Business enterprises > Computer networks > Security measures.
Computer security.
Ver en Biblioteca Universitat Ramon Llull:https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009661626006719
Tabla de Contenidos:
  • Contents at a Glance Introduction. 1 Part 1: Getting to Know Security Awareness 5 Chapter 1: Knowing How Security Awareness Programs Work. 7 Chapter 2: Starting On the Right Foot: Avoiding What Doesn't Work. 19 Chapter 3: Applying the Science Behind Human Behavior and Risk Management. 33 Part 2: Building a Security Awareness Program. 51 Chapter 4: Creating a Security Awareness Strategy. 53 Chapter 5: Determining Culture and Business Drivers. 61 Chapter 6: Choosing What to Tell The Users. 75 Chapter 7: Choosing the Best Tools for the Job 89 Chapter 8: Measuring Performance. 107 Part 3: Putting Your Security Awareness Program Into Action 119 Chapter 9: Assembling Your Security Awareness Program. 121 Chapter 10: Running Your Security Awareness Program 143 Chapter 11: Implementing Gamification 165 Chapter 12: Running Phishing Simulation Campaigns. 181 Part 4: The Part of Tens. 207 Chapter 13: Ten Ways to Win Support for Your Awareness Program. 209 Chapter 14: Ten Ways to Make Friends and Influence People. 215 Chapter 15: Ten Fundamental Awareness Topics. 221 Chapter 16: Ten Helpful Security Awareness Resources. 227 Appendix: Sample Questionnaire 233 Index. 253 Table of Contents Introduction 1 About This Book. 1 Foolish Assumptions. 2 Icons Used in This Book. 3 Beyond the Book. 3 Where to Go from Here. 4 Part 1: Getting to Know Security Awareness. 5 Chapter 1: Knowing How Security Awareness Programs Work 7 Understanding the Benefits of Security Awareness. 8 Reducing losses from phishing attacks 8 Reducing losses by reducing risk 9 Grasping how users initiate loss. 10 Knowing How Security Awareness Programs Work. 11 Establishing and measuring goals. 12 Showing users how to "do things right". 14 Recognizing the Role of Awareness within a Security Program. 15 Disputing the Myth of the Human Firewall. 16 Chapter 2: Starting On the Right Foot: Avoiding What Doesn't Work. 19 Making a Case Beyond Compliance Standards. 20 Treating Compliance as a Must. 21 Motivating users to take action. 22 Working within the compliance budget. 22 Limiting the Popular Awareness Theories. 23 Applying psychology to a diverse user base. 23 Differentiating between marketing and awareness. 24 Distinguishing Social Engineering from Security Awareness 26 Addressing Mental Models That Don't Work. 27 Making Perfection the Stated Goal. 28 Measuring from the Start. 29 Prioritizing Program Over Product. 29 Choosing Substance Over Style. 30 Understanding the Role of Security Awareness. 31 Table of Contents Chapter 3: Applying the Science Behind Human Behavior and Risk Management. 33 Achieving Common Sense through Common Knowledge 34 Borrowing Ideas from Safety Science. 35 Recognizing incidents as system failures. 36 Responding to incidents. 37 Applying Accounting Practices to Security Awareness. 37 Applying the ABCs of Awareness 39 Benefiting from Group Psychology. 40 The ABCs of behavioral science. 41 The Fogg Behavior Model. 42 Relating B:MAP to the ABCs of awareness and behavior 43 The Forgetting Curve. 44 Remembering That It's All About Risk. 45 Optimizing risk. 46 The risk formula. 46 Part 2: Building a Security Awareness Program. 51 Chapter 4: Creating a Security Awareness Strategy 53 Identifying the Components of an Awareness Program. 54 Choosing effective communications tools. 55 Picking topics based on business drivers 56 Knowing when you're a success 57 Figuring Out How to Pay for It All. 58 Chapter 5: Determining Culture and Business Drivers. 61 Understanding Your Organization's Culture. 62 Determining security culture. 64 Recognizing how culture relates to business drivers. 65 Identifying Subcultures. 65 Interviewing Stakeholders. 67 Requesting stakeholder interviews. 67 Scheduling the interviews 70 Creating interview content. 70 Taking names. 72 Partnering with Other Departments 72 Chapter 6: Choosing What to Tell The Users. 75 Basing Topics on Business Drivers. 76 Incorporating Personal Awareness Topics 76 Motivating Users to Do Things "Right". 77 Common Topics Covered in Security Awareness Programs. 79 Security Awareness For Dummies Phishing 79 Social engineering. 80 Texting and instant messaging security. 80 Physical security. 81 Malware 81 Ransomware 81 Password security. 82 Cloud security 82 USB device security. 82 Internet of Things 83 Travel security. 83 Wi-Fi security 84 Mobile devices. 84 Work from home. 84 Basic computer security. 85 Insider threat. 85 Protecting children on the internet 85 Social media security 86 Moving security. 86 Compliance topics. 87 Chapter 7: Choosing the Best Tools for the Job. 89 Identifying Security Ambassadors 90 Finding ambassadors. 90 Maintaining an ambassador program. 91 Knowing the Two Types of Communications Tools. 92 Reminding users to take action. 93 Requiring interaction from users 93 Exploring Your Communications Arsenal 95 Knowledgebase. 95 Posters 96 Hardcopy newsletters. 97 Monitor displays 97 Screen savers. 98 Pamphlets. 98 Desk drops. 99 Table tents. 99 Coffee cups or sleeves 99 Stickers. 100 Mouse pads 100 Pens and other useful giveaways. 100 Camera covers. 101 Squishy toys and other fun giveaways. 101 Active communications tools. 101 Table of Contents Chapter 8: Measuring Performance 107 Knowing the Hidden Cost of Awareness Efforts. 108 Meeting Compliance Requirements. 109 Collecting Engagement Metrics. 111 Attendance metrics. 111 Likability metrics. 112 Knowledge metrics. 112 Measuring Improved Behavior. 113 Tracking the number of incidents. 113 Examining behavior with simulations 114 Tracking behavior with gamification. 116 Demonstrating a Tangible Return on Investment 116 Recognizing Intangible Benefits of Security Awareness 117 Knowing Where You Started: Day 0 Metrics. 118 Part 3: Putting Your Security Awareness Program Into Action 119 Chapter 9: Assembling Your Security Awareness Program. 121 Knowing Your Budget. 122 Finding additional sources for funding 123 Allocating for your musts. 125 Limiting your discretionary budget. 126 Appreciating your team as your most valuable resource. 126 Choosing to Implement One Program or Multiple Programs. 127 Managing multiple programs 128 Beginning with one program. 128 Gaining Support from Management 129 Devising a Quarterly Delivery Strategy. 131 Ensuring that your message sticks. 133 Distributing topics over three months. 133 Deciding Whether to Include Phishing Simulations. 136 Planning Which Metrics to Collect and When. 137 Considering metrics versus topics 137 Choosing three behavioral metrics. 138 Incorporating Day 0 metrics 138 Scheduling periodic updates. 138 Biasing your metrics. 139 Branding Your Security Awareness Program 139 Creating a theme. 139 Maintaining brand consistency. 140 Coming up with a catchphrase and logo. 140 Promoting your program with a mascot. 140 Security Awareness For Dummies Chapter 10: Running Your Security Awareness Program. 143 Nailing the Logistics 144 Determining sources or vendors 144 Scheduling resources and distribution 145 Contracting vendors. 145 Recognizing the role of general project management. 146 Getting All Required Approvals. 146 Getting the Most from Day 0 Metrics. 147 Creating Meaningful Reports. 149 Presenting reports as a graphical dashboard. 149 Adding index scores. 152 Creating an awareness index. 152 Reevaluating Your Program. 153 Reconsidering your metrics. 154 Evaluating your communications tools 155 Measuring behavioral changes. 156 Redesigning Your Program 157 Anything stand out? 158 Adding subcultures. 158 Adding, deleting, and continuing metrics 159 Adding and discontinuing communications tools 159 Revisiting awareness topics. 160 Considering Breaking News and Incidents 161 Chapter 11: Implementing Gamification. 165 Understanding Gamification. 166 Identifying the Four Attributes of Gamification 168 Figuring Out Where to Gamify Awareness 169 Examining Some Tactical Gamification Examples 170 Phishing reporting. 170 Clean desk drops. 171 Tailgating exercises. 172 USB drop reporting.
  • 173 Reporting security incidents 173 Ad hoc gamification. 174 Putting Together a Gamification Program. 175 Determining reward tiers. 175 Offering valid rewards 177 Assigning points to behaviors. 178 Tracking users and the points they earn. 179 Promoting the Program. 179 Table of Contents Chapter 12: Running Phishing Simulation Campaigns. 181 Knowing Why Phishing Simulations Matter. 182 Setting Goals for Your Phishing Program 183 Checking the box.
  • 183 Producing easy metrics 183 Benefiting from just-in-time training 184 Differentiating between risky and secure users. 184 Planning a Phishing Program 185 Identifying the players 185 Obtaining permission and buy-in. 186 Allocating enough time for phishing simulations. 187 Choosing responsive tools. 187 Choosing a Phishing Tool. 188 Creating custom phishing tools. 188 Choosing vendor options. 189 Implementing a Phishing Simulation Program. 192 Integrating Active Directory. 192 Working with subcultures and geographies. 193 Choosing languages 193 Registering phishing domains. 194 Defining program goals 194 Collecting Day 0 metrics. 194 Running a Phishing Simulation. 195 Determining the targets. 195 Preparing the lures. 196 Creating landing pages. 200 Addressing logistical concerns 201 Conducting a pilot test. 203 Tracking Metrics and Identifying Trends. 204 Dealing with Repeat Offenders. 205 Management Reporting. 206 Part 4: the Part of Tens. 207 Chapter 13: Ten Ways to Win Support for Your Awareness Program. 209 Finding Yourself a Champion. 209 Setting the Right Expectations. 210 Addressing Business Concerns. 211 Creating an Executive Program. 211 Starting Small and Simple 212 Finding a Problem to Solve 212 Establishing Credibility. 213 Highlighting Actual Incidents. 213 Security Awareness For Dummies Being Responsive 213 Looking for Similar Programs 214 Chapter 14: Ten Ways to Make Friends and Influence People. 215 Garnering Active Executive Support. 215 Courting the Organization's Influencers 216 Supporting Another Project That Has Support. 216 Choosing Topics Important to Individuals. 217 Having Some Fun Events 218 Don't Promise Perfection. 218 Don't Overdo the FUD Factor. 218 Scoring an Early Win. 219 Using Real Gamification. 219 Integrating the Organization's Mission Statement. 220 Chapter 15: Ten Fundamental Awareness Topics. 221 Phishing 221 Business Email Compromise. 222 Mobile Device Security. 222 Home Network and Computer Security. 223 Password Security. 223 Social Media Security 223 Physical Security 224 Malware and Ransomware 224 Social Engineering. 225 It Can Happen to You. 225 Chapter 16: Ten Helpful Security Awareness Resources. 227 Security Awareness Special Interest Group. 228 CybSafe Research Library. 228 Cybersecurity Culture Guidelines. 229 RSA Conference Library. 229 You Can Stop Stupid. 229 The Work of Sydney Dekker. 230 Human Factors Knowledge Area. 230 People-Centric Security 230 Human Security Engineering Consortium. 231 How to Run a Security Awareness Program Course 231 Appendix: Sample Questionnaire 233 Index.
  • 253 Table of Contents ntroduction 1 About This Book 1 Foolish Assumptions 2 Icons Used in This Book 3 Beyond the Book 3 Where to Go from Here 4 Part 1: Getting to Know Security Awareness 5 Chapter 1: Knowing How Security Awareness Programs Work 7 Understanding the Benefits of Security Awareness 8 Reducing losses from phishing attacks 8 Reducing losses by reducing risk 9 Grasping how users initiate loss 10 Knowing How Security Awareness Programs Work 11 Establishing and measuring goals 12 Showing users how to "do things right" 14 Recognizing the Role of Awareness within a Security Program 15 Disputing the Myth of the Human Firewall 16 Chapter 2: Starting On the Right Foot: Avoiding What Doesn't Work 19 Making a Case Beyond Compliance Standards 20 Treating Compliance as a Must 21 Motivating users to take action 22 Working within the compliance budget 22 Limiting the Popular Awareness Theories 23 Applying psychology to a diverse user base 23 Differentiating between marketing and awareness 24 Distinguishing Social Engineering from Security Awareness 26 Addressing Mental Models That Don't Work 27 Making Perfection the Stated Goal 28 Measuring from the Start 29 Prioritizing Program Over Product 29 Choosing Substance Over Style 30 Understanding the Role of Security Awareness 31 Chapter 3: Applying the Science Behind Human Behavior and Risk Management 33 Achieving Common Sense through Common Knowledge 34 Borrowing Ideas from Safety Science 35 Recognizing incidents as system failures 36 Responding to incidents 37 Applying Accounting Practices to Security Awareness 37 Applying the ABCs of Awareness 39 Benefiting from Group Psychology 40 The ABCs of behavioral science 41 The Fogg Behavior Model 42 Relating B:MAP to the ABCs of awareness and behavior 43 The Forgetting Curve 44 Remembering That It's All About Risk 45 Optimizing risk 46 The risk formula 46 Part 2: Building a Security Awareness Program 51 Chapter 4: Creating a Security Awareness Strategy 53 Identifying the Components of an Awareness Program 54 Choosing effective communications tools 55 Picking topics based on business drivers 56 Knowing when you're a success 57 Figuring Out How to Pay for It All 58 Chapter 5: Determining Culture and Business Drivers 61 Understanding Your Organization's Culture 62 Determining security culture 64 Recognizing how culture relates to business drivers 65 Identifying Subcultures 65 Interviewing Stakeholders 67 Requesting stakeholder interviews 67 Scheduling the interviews 70 Creating interview content 70 Taking names 72 Partnering with Other Departments 72 Chapter 6: Choosing What to Tell The Users 75 Basing Topics on Business Drivers 76 Incorporating Personal Awareness Topics 76 Motivating Users to Do Things "Right" 77 Common Topics Covered in Security Awareness Programs 79 Phishing 79 Social engineering 80 Texting and instant messaging security 80 Physical security 81 Malware 81 Ransomware 81 Password security 82 Cloud security 82 USB device security 82 Internet of Things 83 Travel security 83 Wi-Fi security 84 Mobile devices 84 Work from home 84 Basic computer security 85 Insider threat 85 Protecting children on the internet 85 Social media security 86 Moving security 86 Compliance topics 87 Chapter 7: Choosing the Best Tools for the Job 89 Identifying Security Ambassadors 90 Finding ambassadors 90 Maintaining an ambassador program 91 Knowing the Two Types of Communications Tools 92 Reminding users to take action 93 Requiring interaction from users 93 Exploring Your Communications Arsenal 95 Knowledgebase 95 Posters 96 Hardcopy newsletters 97 Monitor displays 97 Screen savers 98 Pamphlets 98 Desk drops 99 Table tents 99 Coffee cups or sleeves 99 Stickers 100 Mouse pads 100 Pens and other useful giveaways 100 Camera covers 101 Squishy toys and other fun giveaways 101 Active communications tools 101 Chapter 8: Measuring Performance 107 Knowing the Hidden Cost of Awareness Efforts 108 Meeting Compliance Requirements 109 Collecting Engagement Metrics 111 Attendance metrics 111 Likability metrics 112 Knowledge metrics 112 Measuring Improved Behavior 113 Tracking the number of incidents 113 Examining behavior with simulations 114 Tracking behavior with gamification 116 Demonstrating a Tangible Return on Investment 116 Recognizing Intangible Benefits of Security Awareness 117 Knowing Where You Started: Day 0 Metrics 118 Part 3: Putting Your Security Awareness Program Into Action 119 Chapter 9: Assembling Your Security Awareness Program 121 Knowing Your Budget 122 Finding additional sources for funding 123 Allocating for your musts 125 Limiting your discretionary budget 126 Appreciating your team as your most valuable resource 126 Choosing to Implement One Program or Multiple Programs 127 Managing multiple programs 128 Beginning with one program 128 Gaining Support from Management 129 Devising a Quarterly Delivery Strategy 131 Ensuring that your message sticks 133 Distributing topics over three months 133 Deciding Whether to Include Phishing Simulations 136 Planning Which Metrics to Collect and When 137 Considering metrics versus topics 137 Choosing three behavioral metrics 138 Incorporating Day 0 metrics 138 Scheduling periodic updates 138 Biasing your metrics 139 Branding Your Security Awareness Program 139 Creating a theme 139 Maintaining brand consistency 140 Coming up with a catchphrase and logo 140 Promoting your program with a mascot 140 Chapter 10: Running Your Security Awareness Program 143 Nailing the Logistics 144 Determining sources or vendors 144 Scheduling resources and distribution 145 Contracting vendors 145 Recognizing the role of general project management 146 Getting All Required Approvals 146 Getting the Most from Day 0 Metrics 147 Creating Meaningful Reports 149 Presenting reports as a graphical dashboard 149 Adding index scores 152 Creating an awareness index 152 Reevaluating Your Program 153.
  • Reconsidering your metrics 154 Evaluating your communications tools 155 Measuring behavioral changes 156 Redesigning Your Program 157 Anything stand out? 158 Adding subcultures 158 Adding, deleting, and continuing metrics 159 Adding and discontinuing communications tools 159 Revisiting awareness topics 160 Considering Breaking News and Incidents 161 Chapter 11: Implementing Gamification 165 Understanding Gamification 166 Identifying the Four Attributes of Gamification 168 Figuring Out Where to Gamify Awareness 169 Examining Some Tactical Gamification Examples 170 Phishing reporting 170 Clean desk drops 171 Tailgating exercises 172 USB drop reporting 173 Reporting security incidents 173 Ad hoc gamification 174 Putting Together a Gamification Program 175 Determining reward tiers 175 Offering valid rewards 177 Assigning points to behaviors 178 Tracking users and the points they earn 179 Promoting the Program 179 Chapter 12: Running Phishing Simulation Campaigns 181 Knowing Why Phishing Simulations Matter 182 Setting Goals for Your Phishing Program 183 Checking the box 183 Producing easy metrics 183 Benefiting from just-in-time training 184 Differentiating between risky and secure users 184 Planning a Phishing Program 185 Identifying the players 185 Obtaining permission and buy-in 186 Allocating enough time for phishing simulations 187 Choosing responsive tools 187 Choosing a Phishing Tool 188 Creating custom phishing tools 188 Choosing vendor options 189 Implementing a Phishing Simulation Program 192 Integrating Active Directory 192 Working with subcultures and geographies 193 Choosing languages 193 Registering phishing domains 194 Defining program goals 194 Collecting Day 0 metrics 194 Running a Phishing Simulation 195 Determining the targets 195 Preparing the lures 196 Creating landing pages 200 Addressing logistical concerns 201 Conducting a pilot test 203 Tracking Metrics and Identifying Trends 204 Dealing with Repeat Offenders 205 Management Reporting 206 Part 4: The Part of Tens 207 Chapter 13: Ten Ways to Win Support for Your Awareness Program 209 Finding Yourself a Champion 209 Setting the Right Expectations 210 Addressing Business Concerns 211 Creating an Executive Program 211 Starting Small and Simple 212 Finding a Problem to Solve 212 Establishing Credibility 213 Highlighting Actual Incidents 213 Being Responsive 213 Looking for Similar Programs 214 Chapter 14: Ten Ways to Make Friends and Influence People 215 Garnering Active Executive Support 215 Courting the Organization's Influencers 216 Supporting Another Project That Has Support 216 Choosing Topics Important to Individuals 217 Having Some Fun Events 218 Don't Promise Perfection 218 Don't Overdo the FUD Factor 218 Scoring an Early Win 219 Using Real Gamification 219 Integrating the Organization's Mission Statement 220 Chapter 15: Ten Fundamental Awareness Topics 221 Phishing 221 Business Email Compromise 222 Mobile Device Security 222 Home Network and Computer Security 223 Password Security 223 Social Media Security 223 Physical Security 224 Malware and Ransomware 224 Social Engineering 225 It Can Happen to You 225 Chapter 16: Ten Helpful Security Awareness Resources 227 Security Awareness Special Interest Group 228 CybSafe Research Library 228 Cybersecurity Culture Guidelines 229 RSA Conference Library 229 You Can Stop Stupid 229 The Work of Sydney Dekker 230 Human Factors Knowledge Area 230 People-Centric Security 230 Human Security Engineering Consortium 231 How to Run a Security Awareness Program Course 231 Appendix: Sample Questionnaire 233 Index 253.

Ejemplares similares